Method, Apparatus and Program for Establishing Encrypted Communication Channel Between Apparatuses

1. A session management apparatus that can connect to a first apparatus and a second apparatus over a network, the first apparatus and the second apparatus exchanging Session Initiation Protocol (SIP) messages via the session management apparatus to establish a connection, the session management apparatus comprising: circuitry configured to: exchange key information for encrypted communication with the first apparatus; perform mutual authentication with the first apparatus to establish a first encrypted communication channel between the session management apparatus and the first apparatus; and to store a name of the first apparatus and identification information of the first encrypted communication channel in a storage device, wherein the name of the first apparatus is obtained from a REGISTER message sent by the first apparatus, and the name of the first apparatus and the identification information are associated with each other; establish a second encrypted communication channel between the session management apparatus and the second apparatus based on mutual authentication with the second apparatus; receive an INVITE message including a name of the first apparatus via the first encrypted communication channel; determine whether the name included in the INVITE message is correct by comparing the name included in the INVITE message with the name, obtained from the REGISTER message, that is stored in the storage device and that is associated with the identification information of the first encrypted communication channel; and send the INVITE message to the second apparatus via the second encrypted communication channel.

2. The session management apparatus as claimed in claim 1 , wherein, if the session management apparatus determines that the name of the first apparatus included in the INVITE message is not correct, the session management apparatus sends an error message to the first apparatus.

3. A session management apparatus that can connect to a first apparatus and a second apparatus over a network, the first apparatus and the second apparatus exchanging Session Initiation Protocol (SIP) messages via the session management apparatus to establish a connection, the session management apparatus comprising: circuitry configured to: exchange key information for encrypted communication with the first apparatus; perform mutual authentication with the first apparatus to establish a first encrypted communication channel between the session management apparatus and the first apparatus; establish a second encrypted communication channel between the session management apparatus and the second apparatus based on mutual authentication with the second apparatus; receive, from the first apparatus via the first encrypted communication channel, an INVITE message including a first header indicating reliability of a route between the first apparatus and the session management apparatus; add a second header indicating reliability of a route between the session management apparatus and the second apparatus to the INVITE message; and send the INVITE message to the second apparatus via the second encrypted communication channel, wherein, when the session management apparatus receives, from another session management apparatus, an INVITE message to which headers indicating reliability of routes are added, the session management apparatus adds an additional header indicating reliability of a route between the session management apparatus and a next apparatus to the INVITE message, and sends the INVITE message to the next apparatus.

4. The session management apparatus as claimed in claim 3 , wherein the first header includes an address of the first apparatus, and in response to receiving the first header, the session management apparatus determines validity of the first header by comparing an address included in the first header and an address of the first apparatus.

5. A method for transferring a message among a first apparatus, a session management apparatus and a second apparatus each connected to a network, the first apparatus and the second apparatus exchanging Session Initiation Protocol (SIP) messages via the session management apparatus to establish a connection, wherein: the session management apparatus and the first apparatus exchange key information for encrypted communication and perform mutual authentication to establish a first encrypted communication channel between the session management apparatus and the first apparatus, and the session management apparatus stores a name of the first apparatus and identification information of the first encrypted communication channel in a storage device, wherein the name of the first apparatus is obtained from a REGISTER message sent by the first apparatus, and the name of the first apparatus and the identification information are associated with each other; the session management apparatus and the second apparatus performs mutual communication to establish a second encrypted communication channel between the session management apparatus and the second apparatus; the first apparatus sends an INVITE message including a name of the first apparatus via the first encrypted communication channel to the session management apparatus; the session management apparatus determines whether the name included in the INVITE message is correct by comparing the name included in the INVITE message with the name, obtained from the REGISTER message, that is stored in the storage device and that is associated with the identification information of the first encrypted communication channel; and the session management apparatus sends the INVITE message to the second apparatus via the second encrypted communication channel.

6. A method for transferring a message among a first apparatus, a session management apparatus and a second apparatus each connected to a network, the first apparatus and the second apparatus exchanging Session Initiation Protocol (SIP) messages via the session management apparatus to establish a connection, wherein: the session management apparatus and the first apparatus exchange key information for encrypted communication and perform mutual authentication to establish a first encrypted communication channel between the session management apparatus and the first apparatus; the session management apparatus and the second apparatus perform mutual communication to establish a second encrypted communication channel between the session management apparatus and the second apparatus; the first apparatus sends, to the session management apparatus via the first encrypted communication channel, an INVITE message including a first header indicating reliability of a route between the first apparatus and the session management apparatus; and the session management apparatus adds a second header indicating reliability of a route between the session management apparatus and the second apparatus to the INVITE message, and sends the INVITE message to the second apparatus via the second encrypted communication channel, wherein, when the session management apparatus receives, from another session management apparatus, an INVITE message to which headers indicating reliability of routes are added, the session management apparatus adds an additional header indicating reliability of a route between the session management apparatus and a next apparatus to the INVITE message, and sends the INVITE message to the next apparatus.

7. A non-transitory computer-readable medium including a computer program, which when executed by a computer causes the computer to function as a session management apparatus that can connect to a first apparatus and a second apparatus over a network, the first apparatus and the second apparatus exchanging Session Initiation Protocol (SIP) messages via the session management apparatus to establish a connection, the computer program comprising: program code for exchanging key information for encrypted communication with the first apparatus and performing mutual authentication with the first apparatus to establish a first encrypted communication channel between the session management apparatus and the first apparatus, and storing a name of the first apparatus and identification information of the first encrypted communication channel in a storage device, wherein the name of the first apparatus is obtained from a REGISTER message sent by the first apparatus, and the name of the first apparatus and the identification information are associated with each other; program code for establishing a second encrypted communication channel between the session management apparatus and the second apparatus based on mutual authentication with the second apparatus; program code for receiving an invite message including a name of the first apparatus via the first encrypted communication channel; program code for determining whether the name included in the INVITE message is correct by comparing the name included in the INVITE message with the name, obtained from the REGISTER message, that is stored in the storage device and that is associated with the identification information of the first encrypted communication channel; and program code for sending the INVITE message to the second apparatus via the second encrypted communication channel.

8. A non-transitory computer-readable medium including a computer program, which when executed by a computer causes the computer to function as a session management apparatus that can connect to a first apparatus and a second apparatus over a network, the first apparatus and the second apparatus exchanging Session Initiation Protocol (SIP) messages via the session management apparatus to establish a connection, the computer program comprising: program code for exchanging key information for encrypted communication with the first apparatus and performing mutual authentication with the first apparatus to establish a first encrypted communication channel between the session management apparatus and the first apparatus; program code for establishing a second encrypted communication channel between the session management apparatus and the second apparatus based on mutual authentication with the second apparatus; program code for receiving, from the first apparatus via the first encrypted communication channel, an INVITE message including a first header indicating reliability of a route between the first apparatus and the session management apparatus; program code for adding a second header indicating reliability of a route between the session management apparatus and the second apparatus to the INVITE message, and sending the INVITE message to the second apparatus via the second encrypted communication channel; and program code for, when the session management apparatus receives, from another session management apparatus, an INVITE message to which headers indicating reliability of routes are added, adding an additional header indicating reliability of a route between the session management apparatus and a next apparatus to the INVITE message, and sending the INVITE message to the next apparatus.

9. A method for establishing an encrypted communication channel between a first apparatus and a second apparatus, and performing communication between the second apparatus and a third apparatus using the encrypted communication channel, comprising: a first step of exchanging key information for encrypted communication and performing mutual authentication between a session management apparatus and the second apparatus so as to establish a second encrypted communication channel between the session management apparatus and the second apparatus; a second step in which the first apparatus is accessed by the third apparatus; a third step of exchanging key information for encrypted communication and performing mutual authentication between the session management apparatus and the first apparatus so as to establish a first encrypted communication channel between the session management apparatus and the first apparatus; a fourth step in which the first apparatus sends, to the session management apparatus via the first encrypted communication channel, a connection request message destined for the second apparatus including key information used for encrypted communication between the first apparatus and the second apparatus, and the session management apparatus sends the connection request message to the second apparatus via the second encrypted communication channel; a fifth step in which the second apparatus sends, to the session management apparatus via the second encrypted communication channel, a response message including key information used for encrypted communication between the first apparatus and the second apparatus in response to receiving the connection request message, and the session management apparatus sends the response message to the first apparatus via the first encrypted communication channel; a sixth step in which the first apparatus receives data from the second apparatus via the encrypted communication channel established between the first apparatus and the second apparatus, and sends the data to the third apparatus, wherein the first apparatus is provided with a table including at least one connection destination permitted for the third apparatus, and the first apparatus sends information of the at least one connection destination to the third apparatus in response to receiving access from the third apparatus, and receives a connection destination from the third apparatus so as to send the connection request message destined for the second apparatus to the session management apparatus in the fourth step based on the connection destination received from the third apparatus.

10. The method as claimed in claim 9 , wherein the session management apparatus has information for determining whether connection is permitted between apparatuses, when the session management apparatus receives a connection request message destined for an apparatus of a connection request destination from an apparatus of a connection request source, the session management apparatus determines whether connection between the apparatus of the connection request destination and the apparatus of the connection request source is permitted by referring to the information, and if the connection is permitted, the session management apparatus sends the connection request message to the apparatus of the connection request destination, and if the connection is not permitted, the session management apparatus rejects the connection without sending the connection request message to the apparatus of the connection request destination.

11. A method for establishing an encrypted communication channel between a first apparatus and a second apparatus, and performing communication between the second apparatus and a third apparatus using the encrypted communication channel, comprising: a first step of exchanging key information for encrypted communication and performing mutual authentication between a session management apparatus and the first apparatus so as to establish a first encrypted communication channel between the session management apparatus and the first apparatus; a second step of exchanging key information for encrypted communication and performing mutual authentication between the session management apparatus and the second apparatus so as to establish a second encrypted communication channel between the session management apparatus and the second apparatus; a third step in which the first apparatus is accessed by the third apparatus; a fourth step in which the first apparatus sends, to the session management apparatus via the first encrypted communication channel, a connection request message destined for the second apparatus including key information used for encrypted communication between the first apparatus and the second apparatus, and the session management apparatus sends the connection request message to the second apparatus via the second encrypted communication channel; a fifth step in which the second apparatus sends, to the session management apparatus via the second encrypted communication channel, a response message including key information used for encrypted communication between the first apparatus and the second apparatus in response to receiving the connection request message, and the session management apparatus sends the response message the first apparatus via the first encrypted communication channel; a sixth step in which the first apparatus receives data from the second apparatus via the encrypted communication channel established between the first apparatus and the second apparatus, and sends the data to the third apparatus, wherein the first apparatus is provided with a table including at least one connection destination permitted for the third apparatus, and the first apparatus sends information of the at least one connection destination to the third apparatus in response to receiving access from the third apparatus, and receives a connection destination from the third apparatus so as to send the connection request message destined for the second apparatus to the session management apparatus in the fourth step based on the connection destination received from the third apparatus.

12. The method as claimed in claim 11 , wherein the session management apparatus has information for determining whether connection is permitted between apparatuses, when the session management apparatus receives a connection request message destined for an apparatus of a connection request destination from an apparatus of a connection request source, the session management apparatus determines whether connection between the apparatus of the connection request destination and the apparatus of the connection request source is permitted by referring to the information, and if the connection is permitted, the session management apparatus sends the connection request message to the apparatus of the connection request destination, and if the connection is not permitted, the session management apparatus rejects the connection without sending the connection request message to the apparatus of the connection request destination.

13. An apparatus that establishes an encrypted communication channel to a second apparatus by using a session management apparatus, the apparatus comprising: a first part configured to exchange key information for encrypted communication with the session management apparatus, perform mutual authentication with the session management apparatus so as to establish an encrypted communication channel between the apparatus and the session management apparatus; a second part configured to send, to the session management apparatus via the encrypted communication channel, a connection request message including key information for encrypted communication between the apparatus and the second apparatus, and receive, from the second apparatus via the session management apparatus, a response message including key information for encrypted communication between the apparatus and the second apparatus so as to establish an encrypted communication channel between the apparatus and the second apparatus; a part configured to perform, after being accessed by a third apparatus, processing by the first part for establishing the encrypted communication channel between the apparatus and the session management apparatus, and processing by the second part for establishing the encrypted communication channel between the apparatus and the second apparatus, and receive data from the second apparatus via the encrypted communication channel established between the apparatus and the second apparatus, and send the data to the third apparatus; a table including at least one connection destination permitted for the third apparatus; and a part configured to send information of the at least one connection destination to the third apparatus in response to receiving access from the third apparatus, and receive a connection destination from the third apparatus, wherein the second part sends the connection request message destined for the second apparatus to the session management apparatus based on the connection destination received from the third apparatus.

14. An apparatus that establishes an encrypted communication channel to a second apparatus by using a session management apparatus, the apparatus comprising: a first part configured to exchange key information for encrypted communication with the session management apparatus, perform mutual authentication with the session management apparatus so as to establish an encrypted communication channel between the apparatus and the session management apparatus; a second part configured to send, to the session management apparatus via the encrypted communication channel, a connection request message including key information for encrypted communication between the apparatus and the second apparatus, and receive, from the second apparatus via the session management apparatus, a response message including key information for encrypted communication between the apparatus and the second apparatus so as to establish an encrypted communication channel between the apparatus and the second apparatus; a part configured to perform, after being accessed by a third apparatus, processing by the second part for establishing the encrypted communication channel between the apparatus and the second apparatus, and receive data from the second apparatus via the encrypted communication channel established between the apparatus and the second apparatus, and send the data to the third apparatus; a table including at least one connection destination permitted for the third apparatus; and a part configured to send information of the at least one connection destination to the third apparatus in response to receiving access from the third apparatus, and receive a connection destination from the third apparatus, wherein the second part sends the connection request message destined for the second apparatus to the session management apparatus based on the connection destination received from the third apparatus.

15. A non-transitory computer-readable medium including computer program instructions, which when executed by an apparatus, cause the apparatus to perform a method of establishing an encrypted communication channel to a second apparatus by using a session management apparatus, the method comprising: exchanging key information for encrypted communication with the session management apparatus; performing mutual authentication with the session management apparatus so as to establish an encrypted communication channel between the apparatus and the session management apparatus; sending, to the session management apparatus via the encrypted communication channel, a connection request message including key information for encrypted communication between the apparatus and the second apparatus; receiving, from the second apparatus via the session management apparatus, a response message including key information for encrypted communication between the apparatus and the second apparatus so as to establish an encrypted communication channel between the apparatus and the second apparatus; establishing, after being accessed by a third apparatus, the encrypted communication channel between the apparatus and the session management apparatus; establishing the encrypted communication channel between the apparatus and the second apparatus; receiving data from the second apparatus via the encrypted communication channel established between the apparatus and the second apparatus; sending the data to the third apparatus; storing at least one connection destination permitted for the third apparatus; sending information of the at least one connection destination to the third apparatus in response to receiving access from the third apparatus; receiving a connection destination from the third apparatus; and sending the connection request message destined for the second apparatus to the session management apparatus based on the connection destination received from the third apparatus.

16. A non-transitory computer-readable medium including computer program instructions, which when executed by an apparatus, cause the apparatus to perform a method of establishing an encrypted communication channel to a second apparatus by using a session management apparatus, the method comprising: exchanging key information for encrypted communication with the session management apparatus; performing mutual authentication with the session management apparatus so as to establish an encrypted communication channel between the apparatus and the session management apparatus; sending, to the session management apparatus via the encrypted communication channel, a connection request message including key information for encrypted communication between the apparatus and the second apparatus; receiving, from the second apparatus via the session management apparatus, a response message including key information for encrypted communication between the apparatus and the second apparatus to establish an encrypted communication channel between the apparatus and the second apparatus; establishing the encrypted communication channel between the apparatus and the second apparatus; receiving data from the second apparatus via the encrypted communication channel established between the apparatus and the second apparatus; sending the data to the third apparatus; storing at least one connection destination permitted for the third apparatus; sending information of the at least one connection destination to the third apparatus in response to receiving access from the third apparatus; receiving a connection destination from the third apparatus; and sending the connection request message destined for the second apparatus to the session management apparatus based on the connection destination received from the third apparatus.